(will be inserted by the editor)
An Efficient Multistage Secret Sharing Scheme Using
Linear One-way Functions and Bilinear Maps
Mitra Fatemi · Taraneh Eghlidos · Mohammadreza Aref
the date of receipt and acceptance should be inserted later
Abstract In a Multistage Secret Sharing (MSSS) scheme, the authorized subsets of participants could reconstruct a number of secrets in consecutive stages. A One-Stage Multisecret Sharing (OSMSS) scheme is a special case of MSSS schemes that all secrets are recovered simulta-neously. In these schemes, in addition to the individual shares, the dealer should provide the participants with a number of public values related to the secrets. The less the number of public values, the more efficient the scheme. It is desired that MSSS and OSMSS schemes provide the computational security; however, we show in this paper that OSMSS schemes do not fulfill the promise. Furthermore, by introducing a new multi-use MSSS scheme based on linear one-way functions, we show that the previous schemes can be improved in the number of public values. Compared to the previous MSSS schemes, the proposed scheme has less complex-ity in the process of share distribution. Finally, using bilinear maps, the participants are provided with the ability of verifying the released shares from other par-ticipants. To the best of our knowledge, this is the first verifiable MSSS scheme in which the number of public values linearly depends on the number of the partici-pants and the secrets and which does not require secure communication channels.
Keywords Bilinear map· Linear one-way function· Multistage secret sharing · Multisecret sharing · Verifiability
M. Fatemi and M. Aref
Dept. of Electrical Engineering, Sharif University of Technol-ogy, Tehran, Iran
E-mail:{mitfatemi, aref}@sharif.edu T. Eghlidos
Electronics Research Institute, Sharif University of Technol-ogy, Tehran, Iran
E-mail: [email protected]
1 Introduction
In many applications, some piece of private information is required. For example, the parties involved in a se-cure communication may need to agree upon a secret to safeguard the transmitted data against misuse. How-ever, secrets are always exposed to unauthorized access or getting lost. To prevent a secret from the above men-tioned risks, one could benefit from a secret sharing scheme.
In a secret sharing scheme, a secret is shared among a set of parties, called participants, such that only au-thorized subsets of them could recover the secret. To make it happen, usually a trusted third party (dealer) assigns a confidential value to each participant as his/her share (shadow). Having these values, authorized subsets of participants could compute the secret through a pre-specified rule. The set, including all of the authorized subsets, is called an access structure. An access struc-ture could be chosen arbitrarily or it could be based on a threshold rule. In a (t, n)-threshold secret sharing scheme, each of the n participants is given a private share, such that every subset of at leastt participants could recover the secret from their shares.
The concept of secret sharing was first introduced by Shamir [1] and Blakley [2] in 1979, independently. Many other secret sharing schemes were presented since then, for example [3] and [4]. Some various features were con-sidered as well such as verifiability of the shares [5], [6], resistance against the presence of a number of cheaters [7], [8], generalized access structures [4] and dynamic change of the threshold and the number of participants [9], [10].
[11]. Note that here, the unconditional security is con-sidered, that is, no limitation is presumed on the com-putational power of the participants. It has been shown that in a perfect secret sharing scheme, the size of the shares should not be less than the size of the secret [11]; in the case of equality, the scheme is referred to as ideal [12]. However, it is possible to decrease the share size below the secret size, if it suffices to have the computa-tional security [13]. It should be notified that as stated in [13], ”computational security is in no way a practi-cal limitation. In fact, most implementations of theo-retically perfect secret sharing schemes result in actual computational security”.
A multistage secret sharing scheme (MSSS) is a gen-eralization of a secret sharing scheme, where there are more than one secret to be shared. Still, each partic-ipant receives one master-shadow, the size of which is the same as the size of each secret. Thus, MSSS schemes could only provide computational security. The first MSSS scheme was proposed by He and Dawson in 1994 [14] and further improved in [15], [16], [17], [18], [19], [20], [21]. In MSSS schemes, the secrets could be re-covered in different stages, possibly according to a pre-specified order. In these schemes, there are some public values in addition to the master-shadows. The partici-pants, who wish to participate in a secret reconstruction stage, derive the corresponding sub-shadows from their master-shadows and the public values.
In 2000, a one-stage multisecret sharing (OSMSS) scheme was proposed by Chien et al. [22]. In such a scheme, by assigning each of the participants a pri-vate shadow, a number of secrets are shared among them. However, when an authorized subset of partic-ipants pull their shares together, they recover all the secrets simultaneously in one stage, hence the name. Numerous OSMSS schemes were proposed thereafter to reduce the computational complexity and the number of public values [23], [24], [25], [26], [27], [28].
In this paper, we briefly study some of the previous MSSS and OSMSS schemes. The results of this inves-tigation show that the least number of public values published so far is equal to m×(n−t) in the former schemes [16] and equal to m+n−t+ 1 in the latter schemes [24]. In the case of verifiable OSMSS scheme, the least number of public values increases to 2n+1 [29] and 2(n+ 1) +m−t[28], wherem,nandtindicate the number of secrets, the number of participants and the threshold value, correspondingly. We also show that the OSMSS scheme has an inherent security problem, that is, it cannot provide the desired level of computational security. More specifically, every unauthorized subset of t−k participants are able to reduce the size of the secret space from |S|m to |S|k, where S indicates the
secret space and 0< k <min(m, t). Because of such a security dilemma in OSMSS schemes, we only focus on MSSS schemes, thereafter. Here, we propose an MSSS scheme, using a linear one-way function [30], which re-duces the number of public values fromm×(n−t) to m. Note that this is just equal to the number of secrets and is independent of the number of participants.
Next, we propose a modified version of the new scheme to acquire share verifiability with 2(n+1)+m−t public values. To the best of our knowledge, this is the first published verifiable MSSS scheme in which the par-ticipants could verify the correctness of other shares in the reconstruction stage. The proposed scheme also does not require any secure channel for transmitting the share values.
The rest of this paper is organized as follows. In section 2, we review the main concepts of secret shar-ing schemes. In section 3, we briefly study some of the previous MSSS and OSMSS schemes. The security flaw of OSMSS schemes is introduced in section 3 and then proved in section 4. The new MSSS scheme and its ver-ifiable version are presented in section 5. A thorough analysis of the new schemes along with a comparison with the previous schemes are given in the subsequent section. We conclude the paper in section 7.
2 Definitions
LetP ={P1, P2, ..., Pn}be the set ofnparticipants and SandSP be the sets of all possible values for the secret (the secret space) and the shares (share space), respec-tively. A secret sharing scheme is a method that guaran-tees accessibility and security of a secrets∈ S, simul-taneously. In such a scheme, each participant Pi,1 ≤
i≤nreceives a private sharesPi ∈ SP such that only
prespecified subsets of the participants, called autho-rized subsets, are able to recover the secret, using their shares. The set of all the authorized subsets is named an access structure, denoted by Γ. A threshold secret sharing scheme is a specific but crucial type of secret sharing with an access structure of the form
Γ ={A⊆P:|A| ≥t} (1)
wheretis the threshold value.
A (t, n)-threshold secret sharing scheme with a se-cret s ∈ S and the shares s1, s2, ..., sn ∈ SP is called perfect, if for every set oftindices{i1, ..., it} ⊂ {1, ..., n}, the two following conditions hold, whereH(.) is the en-tropy function.
H(s|si1, ..., sit−1, sit) = 0
In [11], it has been shown that the above constraints demand
H(si)≥H(s), i= 1, .., n (3)
Assuming that the secret and the shares are uniformly distributed in S and SP, respectively, which is usually the case, the relation (3) yields |Sp| ≥ |S|, where |A| represents the size of the set A. The scheme in which |Sp|=|S| is called an ideal secret sharing scheme [12]. In other words, in an ideal secret sharing scheme, all the shares have the same size as the secret. Being ideal is a desired feature since the transmission and storage of large shares are not profitable. Moreover, large share size brings about redundancy in the scheme that re-duces the efficiency.
A secret sharing scheme is composed of share distri-bution and secret reconstruction processes. The share distribution process is usually accomplished by a third authorized participant, called dealer. The dealer cal-culates the shares and sends them to the participants through secure channels. In the secret reconstruction process, an authorized set of participants cooperate to recover the secret.
A dilemma of the secret sharing schemes is that they are not resistant against the cheating participants who provide false share values to prevent the others from recovering the correct secret. This problem could be solved by adding verifiability of the shares to the scheme. In a verifiable secret sharing scheme, usually the dealer publishes some extra values during the share distribution process. By the help of these values, each participant is able to verify the correctness of the shares that are provided by other participants, before recover-ing the secret. The first verifiable secret sharrecover-ing schemes were presented by Chor et al. [5] and Stadler [6], in 1985 and 1996, respectively. Since then, numerous verifiable secret sharing schemes have been presented, for exam-ple [31] and [32]. The former scheme uses the points on an elliptic curve and the discrete logarithm problem to achieve verifiability, while the latter utilizes a bilinear map.
Perfect secret sharing schemes have the two follow-ing limitations:
1. In each scheme just one secret is shared among the participants; and
2. After the secret recovery, all of the shares, even the shares of those participants who have not joined the secret reconstruction process, get revealed.
Hence, to share another secret among these partici-pants, the dealer has to send them a new set of shares. Multistage secret sharing (MSSS) schemes and one-stage multisecret sharing (OSMSS) schemes have been pre-sented as efficient solutions to overcome the mentioned
constraints of the secret sharing schemes. In an MSSS scheme, a number of secrets are shared among the par-ticipants by assigning just one share (a master share) to each. All master shares have the same size as each of the secrets. Moreover, the participants are able to re-construct the secrets in different stages, without jeop-ardizing the security of uncovered secrets. An OSMSS scheme is a special case of MSSS schemes, in which all the secrets get revealed simultaneously. It is noteworthy that based on the lower bound on the size of the shares in a perfect secret sharing scheme, given in equation (3), both MSSS and OSMSS schemes could not pro-vide perfect security. Hence, we are just looking for the computational security in these schemes.
3 Review of previous MSSS and OSMSS schemes
In this section, we briefly review some of the previous MSSS and OSMSS schemes. The pioneer MSSS scheme presented by He and Dawson in 1994 [14] is based on the Shamir’s secret sharing scheme and exploits the concept of public shift values. Letf :Zp→Zp be an arbitrary one-way function. For everyx∈Zp and every positive integer k, fk(x) denotes the result of k successive ap-plications of f on x, that is, fk(x) = f fk−1(x)
and f0(x) = x. Let x1, x2, ..., x
n be n label values corre-sponding to the n participants. To share the secrets S1, ..., Sm among the participants P1, ..., Pn according to a (t, n)-threshold scheme, the dealer performs the following steps:
1. Choosesnarbitrary integerss1, ..., sn.
2. For each secret Si, i ∈ {1, ..., m}, chooses random valuesai1, ai2, ..., ait−1 ∈Zpand generates the
poly-nomial
Qi(x) =Si+ai1x+...+ait−1x
t−1
(4)
Then, he computes the shift values asdi,j=Qi(xj)−
fi−1(s
j), j∈ {1, ..., n}.
3. Sends the master-sharess1, s2, ..., snthrough secure channels to the participants P1, P2, .., Pn, respec-tively and publishes di,j, i ∈ {1, ..., m} and j ∈ {1, ..., n}.
Accordingly, the participantPj, who has gotsj, is able to computeQi(xj) by adding the values fi−1(sj) and
di,j for every i ∈ {1, ...m}. Then, to construct a se-cret Si in a stage, a set of t participants interpolate the polynomialQi(x) by the help of values Qi(xj) for
pseudo-shares and subsequently the secrets, the partic-ipants should follow a predetermined order for the se-cret recovery: the sese-cretSm−l+1 should be recovered in thel-th stage,l∈ {1, ..., m} and to reconstruct the se-cretSi, the participantPj presentsfi−1(sj) as his/her pseudo-share.
In [14], it has been shown that the public shift val-ues do not leak any information about the secrets and if the predetermined order of secret recovery is preserved, this scheme has computational security. However, in this scheme, the participants are able to contravene the predetermined order and compromise the security of unrecovered secrets.
The number of public values in MSSS and OSMSS schemes is an important parameter that affects the ef-ficiency of a scheme by increasing the required memory and communication load [33]. In the above scheme, the number of public values is equal to m×n. A similar MSSS scheme aiming to decrease the number of public values is presented in [16]. This scheme needsm×(n−t) public values which leads to a significant decrease of the number of public values whent is close ton. However, it still requires that the participants follow a predeter-mined order of secret recovery to preserve the security of the scheme.
In 1995, He and Dawson presented another MSSS scheme [15] to remove the predetermined constraint on the order of secret recovery. In this scheme, a two-variable one-way function is used instead of successively applying a one-way function on the master shares. To share the secrets in this scheme, the dealer performs the following steps.
1. Choosesnrandom integerss1, ..., snandnarbitrary constantsc1, ..., cn.
2. For i ∈ {1, ..., n}, shares the secret Si by applying the public shift values technique and by assuming the values F(sj, ci), j ∈ {1, ..., n} as the pseudo-shares, whereF(., .) denotes a two-variable one-way function. Letdi,j=Qi(xj)−F(sj, ci) be the result-ing shift values.
3. Sends the master shares s1, s2, ..., sn through se-cure channels to the participants P1, P2, .., Pn, re-spectively and publishesdi,j, i∈ {1, ..., m} and j∈ {1, ..., n}.
In this scheme, different secrets could be reconstructed in different stages in an arbitrary order. Again, the re-constructed secrets and public values do not leak any in-formation about unrecovered secrets. Furthermore, the number of public values in this scheme ism×n+m= m×(n+ 1). Note that in all of the above schemes, the dealer generatesmpolynomials to sharemsecrets.
Another MSSS scheme with similar structure is pre-sented in [18]. In this scheme, the secrets are again
as-sumed to be recovered in a specific order but unlike [14], this scheme could guarantee that the participants pre-serve this order. Similar to the previous MSSS schemes, this scheme employsmpolynomials to sharem secrets and it needsm×npublic values. Moreover, it is a multi-use scheme, that is, even after recovering all the secrets, the master-shares of the participants would be still kept secret and hence could be used in another MSSS ses-sion.
The first OSMSS scheme presented in 2000 is based on linear block coding [22]. In this scheme,msecrets are interpreted as the mcomponents of a message vector. This vector is then encoded using the generator matrix of a systematic block code. Finally, a number of code symbols are given to the participants as their shares and some other symbols are published. The authorized sub-set of participants could decode the codeword and re-cover the secrets, simultaneously. This scheme requires (m+n−t+ 1) public values.
Two more OSMSS schemes based on the Shamir’s secret sharing scheme are proposed in [23] and [24]. In these schemes, the shares are generated by a polynomial that has all the secrets as its coefficients. The number of public values in the former scheme is equal to (m+n−
t+1) andn+1 whenm > tandm≤t, respectively. For the latter scheme, this number is equal to (m+n−t+1). Many other OSMSS schemes have been presented that employ different methods for sharing the secrets. For example, the scheme in [25] is a verifiable OSMSS scheme with 2(n+ 1) and 2(n+ 1) +m−tpublic values for the case of m ≤ t and m > t, respectively and the one in [31] is a verifiable scheme based on linear recursive equations with 2(n+ 1) +m−tpublic values. In [29], another verifiable OSMSS scheme with 2(n+ 1) public values is presented. This scheme makes use of bilinear maps to provide the share verifiability for the participants.
Before we finish this section, we briefly explain the specific OSMSS scheme introduced in [23] as an exam-ple through which we reveal the security flaw of the OSMSS schemes in general.
1. Chooses the random valuesa1, ..., at−m∈ {1, ..., p− 1} and generates a polynomial Q(x)(modp) of de-greet−1 according to
Q(x) =S1+S2x+...+Smxm−1
+a1xm+a2xm+1+...+at−mxt−1(modp) (5) 2. Calculates the valuesyj =Q F(sj, r)
, j∈ {1...n}. 3. Publishes (r, y1, ..., yn). The number of public values
in this case is equal to (n+ 1).
In the case ofm > t, the dealer does the following steps. 1. Generates a polynomialQ(x)(modp) of degreem−1
according to
Q(x) =S1+S2x+...+Smxm−1(modp) (6) 2. Calculates the valuesyj =Q F(sj, r)
, j∈ {1, ..., n}. 3. Computes the public valuesQ(i)(modp), i∈ {1, ...,
m−t} and publishes the vector
(r, y1, ..., yn, Q(1), ..., Q(m−t)). The number of pub-lic values in this case is equal to (n+m−t+ 1).
Secret Reconstruction Process. In the case ofm≤t, at least t participants could obtain t points of the form
F(sj, r), yj
on the polynomial Q(x) and using the Lagrange interpolation, they could calculate Q(x) and subsequently the secrets. In the other case, in order to reconstruct the polynomial Q(x) of degree m−1, these participants could use the m−t public points (i, Q(i)), i∈ {1, ..., m−t} on the polynomial, in addi-tion to their shares.
Although in the above scheme, t−1 participants could not reconstruct the m secrets, according to the following discussion, they could reduce the search space of the secrets from|S|mto|S|, whereS denotes the se-cret space. Assumem≤tand consider the following set of (t−m+1) equations withtunknowns (S1, S2, ..., Sm,
a1, ..., at−m).
yj =S1+S2F(sj, r) +...+Sm F(sj, r)
m−1
+a1 F(sj, r) m
+...+at−m F(sj, r) t−1
,
j ∈ {1, ..., t−m+ 1} (7)
Every set of (t−m+ 1) participants, with the help of their shares, are able to omit t−m unknown co-efficients a1, ..., at−m and reduce the equations in (7) to one equation in m unknowns (S1, S2, ..., Sm). Us-ing a similar approach, t−1 participants could find (t−1)−(t−m) =m−1 linear relations between the m secrets. As a result, the search space of the secrets reduces to that of one secret for these unauthorized set of t −1 participants. That is, if they could find the value of just one secret somehow, they would recover all the secrets. The same argument satisfies for the case of m > t. In the next section, we show that what is stated here as a security flow for the OSMSS scheme in [23] is generally true for all OSMSS schemes.
4 Security flaw in OSMSS schemes
In this section, we show that in a (t, n)-threshold OSMSS scheme, an unauthorized subset ofk participants (k < min(m, t)) could reduce the search space of secrets from |S|mto|S|t−k, whereS andmare the secret space and the number of secrets, respectively. This is mainly be-cause the secrets are supposed to be revealed, simul-taneously. As a result, each participant uses the same share value to recover all the secrets.
Assume that at least t participants are needed to recover all the secrets and k ∈ {1, ...,min(m, t)} is an integer. The secrets and the shares are chosen randomly, according to an identical distribution from the same spaceS=Sp, whereSp is the share space. Hence,
H(S1) =H(S2) =...=H(Sm) =H(s1) =...=H(sn) (8)
where H(.) is the Entropy function. Then,
I (s1, ..., sk;S1, ..., Sm|sk+1, ..., st) =
H (s1, ..., sk|sk+1, ..., st)−H(s1, ..., sk|sk+1, ..., st, S1, ..., Sm) =
H (S1, ..., Sm|sk+1, ..., st)−H(S1, ..., Sm|s1, ..., sk, sk+1, ..., st) (9) With due attention to the definition of OSMSS schemes, H(S1, ..., Sm|s1, ..., sk, sk+1, ..., st) = 0. Therefore,
H (S1, ..., Sm|sk+1, ..., st)≤
H (s1, ..., sk|sk+1, ..., st)≤
H (s1, ..., sk)≤H(s1) +...+H(sk) =
kH (s1) =kH(S1) (10)
Equation (10) shows that the uncertainty about them secrets int−kshares is at most equal to the uncertainty of k secrets. In the case of k = 1, the uncertainty of t−1 participants about the secrets is equal to that of one secret.
5 Efficient MSSS schemes
precisely, in OSMSS schemes, all the secrets get re-vealed simultaneously which causes the required num-ber of public values in these schemes to be much lower than the corresponding number in MSSS schemes. The required number of public values in all of OSMSS schemes studied so far, depends linearly on the number of par-ticipants (n) and the number of secrets (m) which is equal tom+n−t+ 1 in the best case [22, 24].
MSSS schemes are more flexible, that is, in these schemes, the secrets could be recovered independently and possibly according to a desired order in successive stages. The required number of public values in all of the proposed MSSS schemes depends on the product of the number of participants and the number of secrets whose minimum value has been equal to m×(n−t) [16].
In this section, we propose two threshold MSSS schemes based on a linear one-way function. The first scheme needs justmpublic values in order to sharem secrets amongnparticipants. Then, by employing bilin-ear maps, we propose a verifiable version of this scheme that needs 2(n+ 1) +m−t public values to sharem secrets according to a (t, n)-threshold MSSS scheme. As referred to in section 3, no verifiable MSSS scheme has been proposed so far and the verifiable OSMSS schemes in [31] and [29] require 2(n+ 1) +m−t and 2(n+ 1) public values, respectively.
5.1 Preliminaries
Bilinear maps and linear one-way functions were first introduced in [34] and [30], respectively and then found some applications in identity-based cryptosystems [34] and network security [35], [36]. In this section, we briefly introduce these concepts, before we employ them in the proposed MSSS schemes.
Definition 1 [34] Let Gbe an additive group and G1 be a multiplicative group, both of orderqfor some large primeq(for example 160 bits). A mape:G×G→G1 is said to be an admissible bilinear map, if
1. e(aP, bQ) =e(P, Q)abfor alla, b∈Zq andP, Q∈G (Bilinear condition).
2. The map does not project all elements ofG×Gto the identity element ofG1 (Non-degeneracy condi-tion).
3. There is an efficient algorithm to compute e(P, Q) for allP, Q∈G(Computability condition).
An example of the groupsGandG1 together with a bilinear map could be found in [34].
The existence of an admissible bilinear mape:G× G→ G1 leads to the following result in the groups G andG1 [34].
– The Decision Diffie-Hellman problem (DDH) inGis easy, that is, it is easy to distinguish between the val-ues (P, aP, bP, abP) and (P, aP, bP, cP) wherea, b, c are random in Z∗q and P is random in G∗ but the Computational Diffie-Hellman problem (CDH) inG can be still hard; in other words, it is hard to find abP given random values (P, aP, bP).
Also, the discrete logarithm problem on elliptic curves, as defined below, is supposed to be hard [34].
– Let P be a generator and Q be an arbitrary ele-ment ofG. There exist an integerr∈Z∗q such that
Q=rP. The discrete logarithm problem on elliptic curves is equivalent to findingr, givenP andQ.
Remark 1 Consider the isomorphism induced from G to G1 by the bilinear map e. More specifically, for a point Q ∈ G∗ define the isomorphism fQ : G → G1 byfQ(P) =e(P, Q). The existence of an efficient algo-rithm for inverting fQ, for some Q, would lead to an efficient algorithm for solving discrete logarithm prob-lem in G1 [34]. Consequently, the isomorphism fQ is believed to be a one-way function whenever discrete log-arithm is believed to be hard inG1, as it is the case in all of the examples given in [34]. Therefore, throughout the paper the bilinear mapeis considered as a one-way function (P andQcannot be inferred frome(P, Q)).
In [30], a linear one-way functionh:G×Z∗q →Gis introduced to be used in an identity-based encryption (IBE) system. Here, we benefit from the properties of hin the proposed scheme.
Definition 2 [30] LetGbe an additive group of order q, whereqis a large prime number.h:G×Z∗q →Gis a linear one-way function, if
– For all P ∈ G and a, x ∈ Z∗q we have h(aP, x) =
ah(P, x).
– Given x, xi ∈Z∗q, P ∈G and xi, h(aP, xi)
for all i∈ {1, ..., n},h(aP, x) could not be computed, using any probabilistic polynomial-time algorithm.
The functionh, defined above, is a one-way function with respect to its first argument, that is,P cannot be inferred fromh(P, x) andx.
5.2 An MSSS scheme based on a linear one-way function
Leth:G×Z∗q →Gbe a linear one-way function where
points on an elliptic curve. Also, assume that the secrets S1, S2, ..., Sm are all inG. The proposed MSSS scheme consists of two processes: share distribution and secret reconstruction.
Share Distribution Process. To share the secretsS1, S2,
· · · , Sm according to a (t, n)-threshold MSSS scheme, the dealer executes the following steps.
1. Chooses random coefficientsa0, a1, ..., at−1∈Z∗qand generates the polynomial Q(x) = a0+a1x+...+ at−1xt−1.
2. Computes the values s1 =Q(x1), s2 =Q(x2),· · ·, sn=Q(xn), wherex1, ..., xn ∈Z∗q are the label val-ues assigned to the participants P1, ..., Pn, respec-tively.
3. Randomly chooses a generator P ∈ G and sends s1P, s2P, ..., snP via secure channels to the partici-pantsP1, P2, ..., Pn as their shares, respectively. 4. Calculates the valuesα1=h(s0P,1), α2=h(s0P,2),
· · ·, αm = h(s0P, m), where s0 = Q(0). Next, he publishes the valuesS1−α1, ..., Sm−αm.
Secret Reconstruction Process. Assume that a set of t participantsP1, ..., Pt want to collaborate in one stage to recover the secret Si, i ∈ {1, ..., m}. Each of these participants first calculates and pools his/her pseudo-share h(sjP, i), j ∈ {1, ..., t}. Next, they compute the valueh(s0P, i) from the following equation.
Pt
j=1 t
Y
i=1
i6=j
xi
xi−xj
h(sjP, i)
= h t X j=1 sj t Y
i=1,i6=j
xi
xi−xj
P, i
= h Q(0)P, i
=h(s0P, i) (11)
The participants P1, ..., Pt can then recover the secret
Si from Si−αi andαi=h(s0P, i).
The number of public values for sharingm secrets among n participants in the proposed scheme is inde-pendent of n and it is equal tom. Moreover, the par-ticipants can reconstruct the secrets according to their desired order rather than in a prespecified one.
5.3 A verifiable MSSS scheme based on a linear one-way function and a bilinear map
In this section, we present a modified version of the proposed MSSS scheme. In the new scheme, the dealer does not need secure channels to assign the shares to the participants. Moreover, the participants who collab-orate in a secret reconstruction stage could verify the
correctness of pseudo-shares that are presented by the other participants, before recovering the secrets. Here, in addition to the linear one-way functionh, we employ a bilinear map e : G×G → G1 to verify the shares, whereGandG1 are defined as in section 5.1.
Share Distribution Process. The dealer randomly chooses a generatorP ∈Gand a random secret valuer∈Z∗q. Then, he computes Q = rP and publishes the val-uesP andQ. Subsequently, each participant randomly chooses a secret value sj ∈ Z∗q as his/her share and sends the value sjQ to the dealer, via public chan-nels. Upon receiving all sjQ, j ∈ {1, ..., n}, the dealer first checks if these values are all distinct and then he computes the valuessjP, j∈ {1, ..., n}by the following equation.
r−1(sjQ) =r−1(sjrP) =sj(r−1rP) =sjP (12)
Then, the dealer computes the value Q(0)P according to the following equation, whereQ(x) is a polynomial of degree at mostn−1 which passes through the points (x1, s1P),(x2, s2P), ...,(xn, snP).
Q(0)P = n X j=1 n Y i=1
i6=j
xi
xi−xj
sjP (13)
The dealer also computes Q(dk)P as shown in (14), wheredk, k∈ {1, ..., n−t}are then−tsmallest values in the set{1, ..., q−1} \ {xj|j = 1, ..., n}and then cal-culates α1 = h Q(0)P,1
, α2 = h Q(0)P,2
, ..., αm =
h Q(0)P, m
. Finally, he publishes the vector siQ, Sj−αj, Q(dk)P
i=1,...,n,j=1,...,m,k=1,...,n−t
Q(dk)P = n X j=1 n Y i=1
i6=j
dk−xi
xj−xi
sjP , (14)
k∈ {1, ..., n−t}.
Secret Reconstruction Process. LetP1, P2, ..., Pt resem-ble t participants who come together in one stage to recover the secretSi, i∈ {1, ..., m}. Using their pseudo-shares h(sjP, i), j ∈ {1, ..., t} and the public values
Q(d1)P, Q(d2)P, ..., Q(dn−t)P, the participants are able to cal-culateαiaccording to
αi=h(Q(0)P, i)
= t X j=1 t Y
i=1,i6=j
xi
xi−xj
n−t
Y
i=1 di
di−xj
h(sjP, i)
+ n−t
X
j=1
n−t
Y
i=1,i6=j
di
di−dj
t
Y
i=1 xi
xi−dj
h(Q(dj)P, i) (15)
Share Verification Process. Before computing αi and re-covering the secretSi, the participantsP1, P2, ..., Ptcould con-firm the correctness of the submitted pseudo-shares through the following equation,
e(h(sjP, i), Q) =e(h(P, i), sjQ),1≤i≤m, j= 1, ..., t, (16)
wheresjQ, j∈ {1, ..., n}are public values.
If the equality in (16) holds for anyj∈ {1, ..., t}, the partic-ipants get confident about the validity of the pseudo-share
h(sjP, i).
The proposed verifiable MSSS scheme has 2(n+ 1) +m−t
public values, includingQ, P, s1Q, ..., snQ, S1−α1, ..., Sm−αm, Q(d1)P, ..., Q(dn−t)P. Similar to the scheme pre-sented in section 5.2, everytparticipants in this scheme are able to recover the secrets in a desired order and in consecu-tive stages.
A comprehensive analysis of the above schemes is pre-sented in the next section.
6 Analysis of the proposed MSSS schemes
In this section, we try to present a thorough analysis of the MSSS schemes, presented in section 5. This analysis is di-vided into two parts. First, we investigate the security of the proposed schemes. Next, we compare these schemes with the other MSSS schemes already presented in the literature.
We prove the computational security of the proposed MSSS schemes, by means of a couple of theorems. First, consider the scheme presented in Section 5.2. In that scheme, the random generatorP ∈Gdoes not need to be published. The following theorems, however, are still valid in the case thatPis public.
Theorem 1 In the MSSS scheme based on a linear one-way function, one cannot gain any information about the undisclosed secrets from already recovered secrets, in polynomial time.
Proof: Assume that the secrets{Si}i∈I, I⊂ {1, ..., m}are re-covered. Consequently, the values{αi=h(s0P, i)}i∈Iand the pseudo-shares{h(sjP, i),1≤j≤n}i∈I are revealed to thoset participants. Regarding the properties of the one-way linear functions,stated in Definition 2 of Section 5.1, however, none of the valuess0P, h(s0P, k), sjP andh(sjP, k),1≤j ≤nfor
k /∈Icould be calculated from{αi=h(s0P, i)}i∈I,
{h(sjP, i),1≤j ≤n}i∈I and I, in polynomial time. Hence, no information about undisclosed secrets is leaked from the recovered secrets, in polynomial time.
Theorem 2 In the MSSS scheme based on a linear one-way function, no subset of P = {P1, P2, ..., Pn} with at most t− 1 participants obtain any information about the secretsSi, i ∈ {1, ..., m}, in polynomial time.
Proof: Assume that a group oft−1 participants conspire to recover the secret Si in a stage. According to Theorem 1, the recovered secrets do not leak any information about the undisclosed secretSiin polynomial time. Without loss of gen-erality we assume thatSiis the first secret to be recovered. To calculateSi, the cheating participants need one of the values
s0P orh(s0P, i). Calculation ofs0P requires knowledge of at
leasttvalues of the master-sharessjP,1≤j≤non the poly-nomialQ(x)P, while these participants have only (t−1) out of thenmaster-shares. Regarding the perfectness of Shamir’s scheme, having only t−1 values of siP on the polynomial
Q(x)P with the coefficients chosen randomly according to a uniform distribution fromZq, it is not possible to obtain any information abouts0P, the constant term of this polynomial.
Moreover, to compute h(s0P, i), these participants need at
leastt values of the form h(sjP, i),1≤j ≤nbut they just havet−1 of them. Hence, the cheating participants do not extract any information about the secret Si. Bear in mind that the public values in this scheme are of the type of shift values presented in [14] and as shown in the same paper, these values do not leak any information about the secrets.
The above theorems confirm that the proposed MSSS scheme based on a linear one-way function has the computa-tional security. Moreover, it is a multi-use scheme. This means that even after recovering all of the secrets, the master-shares of the participants (that is,sjP,1≤j≤n) are kept confiden-tial and the shareholders can use their shares to recover a new set of secrets.
Security analysis of the verifiable MSSS scheme, intro-duced in Section 5.3, is similar to the above analysis. The only point that should be considered is that the values pub-lished to provide verifiability of the shares do not give any information about the shares of the participants. This state-ment is proved in the next theorem.
Theorem 3 In the verifiable MSSS scheme based on a linear one-way functionh:G×Z∗q→Gand a bilinear mape:G×G→ G1, no information about the master-shares leaks from the public
values in polynomial time.
Proof: It suffices to show that having the valuesP, Q, sjQ,1≤
j≤n, one could not compute the valuessjandsjP. With re-spect to the discrete logarithm problem, it is computationally impossible to calculatesjfromsjQandQ. Similarly, the par-ticipants could not computer, r−1∈
Z∗qwhich satisfyQ=rP andP =r−1Q. As a result, none of the participants can
com-putesjPfromsjP=r−1sjQ. Consequently, it is not possible for the participants to calculate any of sj or sjP from the public values. This completes the proof.
Table 6 shows the results of comparing the two MSSS schemes, proposed in section 5, with previous schemes from the following points of view: 1) The level of security; 2) Veri-fiability of the shares; 3) Number of public values for sharing
msecrets amongnparticipants according to a (t, n)-threshold scheme. It can be inferred from the results that the proposed MSSS scheme based on a linear one-way function needs the least number of public values; moreover, the verifiable MSSS scheme based on a bilinear map requires nearly the same num-ber of public values as the OSMSS schemes in [28],[29]. This is while the two latter schemes fail to provide the computational security.
7 Conclusions
In this paper, we have considered two generalizations of a secret sharing scheme: The One-Stage Multisecret Sharing scheme and the Multi-Stage Secret Sharing scheme. The de-sired level of security in these schemes is the computational security. However, we have proved that an OSMSS scheme fails to provide this security level. More precisely, in a (t, n) threshold OSMSS scheme withmsecrets, a set ofk < t unau-thorized participants could reduce the uncertainty about the
Table 1 Comparison of the two proposed MSSS schemes with the previous schemes
Scheme Computational Verifiability No. of Public
Security Values
OSMSS [22] No No n+m−t+ 1
n+ 1(m≤t)
OSMSS [23] No No
n+m−t+ 1(m > t)
OSMSS [24] No No m+n−t+ 1
n+ 1(m≤t)
OSMSS [27] No No
n+m+ 1(m > t)
OSMSS [28] No Yes 2(n+ 1) +m−t
OSMSS [29] No Yes 2n+ 1
MSSS [14] Yes No m×n
MSSS [15] Yes No m×(n+ 1)
MSSS [16] Yes No m×(n−t)
MSSS [18] Yes No m×n
MSSS [20] Yes No m×(n−t+ 1)
The proposed Yes No m
MSSS scheme
The proposed verifiable Yes Yes 2(n+ 1) +m−t
MSSS scheme
different secrets. Alternatively, in an MSSS scheme, the se-crets could be recovered in different stages. To make it hap-pen, the participants should derive some pseudo-shares from their master-shares to present in recovery of different secrets. OSMSS and MSSS schemes come usually with a num-ber of public values that are used for the share verification and the secret reconstruction. The study of MSSS schemes revealed that the number of public values in the proposed schemes is proportional to product of the number of the par-ticipants and that of the secrets and in the best case, it is equal tom×n. By employing a linear one-way function, we have presented an MSSS scheme where the number of pub-lic values exclusively depends on the number of secrets. This scheme uses only one generating polynomial for sharing dif-ferent secrets and hence has less computational complexity in the share distribution process, when compared to the pre-viously proposed schemes. The new scheme is multi-use and provides the desired computational security. Finally, using bilinear maps, we have presented a verifiable version of our scheme in which the participants are able to verify the re-leased shares from other participants. This verifiable scheme does not need any secure channel and the participants gen-erate their own shares. The number of public values in this scheme is equal to 2(n+ 1) +m−t.
Acknowledgements This work is partially supported by ITRC under the contraction no. T500/20961 and supported by cryp-tography chair of Iran NSF.
References
1. A. Shamir, ”How to Share a Secret”, Commun. ACM, vol. 22, no. 11, pp. 612–613, 1979.
2. G.R. Blakley, ”Safeguarding Cryptographic Keys”, AFIPS, National Computer Conference, vol. 48, pp. 313– 317 , 1979.
3. M. Mignotte, ”How to Share a Secret”, Cryptography Pro-ceedings, Burg Feuerstein 1982, T. Beth, ed., LNCS 149, pp. 371–375, 1983.
4. J. Benaloh and J. Leichter, ”Generalized Secret Shar-ing and Monotone Functions”, Advances in Cryptology – CRYPTO ’88, S. Goldwasser, ed., LNCS 403, pp. 27–35, 1989.
5. B. Chor and S. Goldwasser and S. Micali and B. Awer-buch, ”Verifiable Secret Sharing and Achieving Simultane-ity in the Presence of Faults”, Proceedings of the 26th IEEE Symposium on the Foundations of Computer Science, IEEE Press, pp. 383–395, 1985.
6. M. Stadler, ”Publicley Verifiable Secret Sharing”, Ad-vances in Cryptology, EUROCRYPT’96, LNCS, vol. 1070, pp. 190–199, 1996.
7. E.F. Brickell and D.R. Stinson, ”The Detection of Cheaters in Threshold Schemes”, Society for Industrial and Applied Mathematics (SIAM), vol. 4, no.4, pp. 502–520, 1991.
8. W. Ogata and K. Kurosawa, ”Optimum Secret Sharing Scheme Secure against Cheating”, U. Maurer (ed.) Ad-vances in Cryptology, EUROCRYPT’96. LNCS, vol. 1070, pp. 200–211. Springer, Heidelberg, 1996.
9. K.M. Martin and R. Safavi-Naini and H. Wang, ”Bound and Techniques for Efficient Redistribution of Secret Shares to New Access Structures”, Computer Journal, vol. 42, no. 8, pp. 638–649, 1999.
10. S.G. Barwick and W.A. Jackson and K.M. Martin, ”Up-dating the Parameters of a Threshold Scheme by Minimal Broadcast”, IEEE Transactions On Information Theory, vol. 51, no. 2, pp. 620–633, 2005.
11. E.D. Karnin and J.W. Greene and M.E. Hellman, ”On Secret Sharing System”, IEEE Transaction on Information Theory, vol. 29, no. 1, pp. 35–41, 1983.
12. E.F. Brickell and D.M. Davenport, ”On the Classification of Ideal Secret Sharing Schemes”, Journal of Cryptology, vol. 4, pp. 123–134, 1991 [Preliminary version appeared in Advances in Cryptology – CRYPTO ’89, G. Brassard, ed., LNCS 435, pp. 278–285, 1990].
14. J. He and E. Dawson, ”Multi-Stage Secret Sharing Scheme Based on One-way Function”, Electronic Letters, vol. 30, no. 19, pp. 1591–1592, 1994.
15. J. He and E. Dawson, ”Multisecret-Sharing Scheme Based on One-way Function”, Electronic Letters, vol. 31, no. 2, pp. 93–95, 1995.
16. L. Harn, ”Comment: Multistage Secret Sharing based on One-way Function”, Electronics Letters, vol. 31, no. 4, pp. 262–262, 1995.
17. L. Harn, ”Efficient Sharing (Broadcasting) of Multiple Secrets”, Proceeding of the IEE Comput. Digit. Tech., vol. 142, no. 3, pp. 237–240, May 1995.
18. T.Y. Chang and M.S. Hwang and W.P. Yang, ”A New Multi-Stage Secret Sharing Scheme Using One-Way Func-tion”, ACM SIGOPS Operating Systems, vol. 39, pp. 48–55, 2005.
19. C.W. Chan and C.C. Chang, ”A Scheme for Threshold Multi-Secret Sharing”, Applied Mathematics and Compu-tation, vol. 166, pp. 1–14, 2005.
20. H.X. Li and C.T. Cheng and L.J. Pang, ”An Improved Multi-Stage (t,n)-Threshold Secret Sharing Scheme”, WAIM05, Fan W., Wu Z., and Yang J., eds., LNCS 3739, pp. 267–274, 2005.
21. M. Fatemi and T. Eghlidos and M. Aref, ”A Multi-stage Secret Sharing Scheme Using All-or-Nothing Transform Ap-proach”, ICICS’09, LNCS 5927, pp. 449–458, 2009. 22. H.Y. Chien and J.K. Jan and Y.M. Tseng, ”A Practical
(t, n) Multi-Secret Sharing Scheme”, IEICE Transactions on Fundamentals, vol. E83-A, no. 12, pp. 2762–2765, 2000. 23. C.C. Yang and C.C. Chang and M.S. Hwang, ”A (t, n) multi-secret sharing scheme”, Applied Mathematics and Computation, vol. 151, no. 2, pp. 483–490, 2004.
24. L.J. Pang and Y.M. Wang, ”A New (t,n) Multi-Secret sharing Scheme Based on Shamir’s Secret Sharing”, Ap-plied Mathematics and Computation, vol. 167, pp. 840–848, 2005.
25. J. Zhao and R. Zhao, ”A Practical Verifiable Multi-Secret Sharing Scheme”, Computer Standards and Interfaces, vol. 29, no. 1, pp. 138–141, 2007.
26. M.H. Dehkordi and S. Mashhadi, ”An Efficient Threshold Verifiable Multi-Secret Sharing”, Computer Standards and Interfaces, vol. 30, pp. 187–190, 2008.
27. S. Runhua and H. Liusheng and L. Yonglong and Z. Hong, ”A Threshold Multi-Secret Sharing Scheme”, IEEE International Conference on Networking, Sensing and Con-trol, ICNSC’08, pp. 1705–1707, 2008.
28. M.H. Dehkordi and S. Mashhadi, ”New Efficient and Practical Verifiable Multi-Secret Sharing Schemes”, Infor-mation Sciences, vol. 178, pp. 2262–2274, 2008.
29. S.J. Wang and Y.R. Tsai and J.J. Shen, ”Dynamic Threshold Multi-secret Sharing Scheme Using Elliptic Curve and Bilinear Maps”, International Conference on Future Generation Communication and Networking (FGCN’08), vol. 2, pp. 405–410, 2008.
30. J. Horwitz and B. Lynn, ”Toward Hierarchical Identity-Based Encryption,” Proceedings of EUROCRYPT ’02, LNCS 2332, pp.466–481, 2002.
31. M.H. Dehkordi and S. Mashhadi, ”Verifiable Secret shar-ing Schemes Based on Non-homogeneous Linear Recursions and Eliptic Curves”, Computer Communications, vol. 31, pp. 1777–1784, 2008.
32. C. Wei and L. Xiang and B. Yuebin and G. Xiaopeng, ”A New Dynamic Threshold Secret Sharing Scheme from Bilinear Maps”, ICPPW, Intl Conf. on Parallel Processing Workshops07, IEEE Computer Society, pp. 19–22, 2007. 33. G.D.L. Crescenzo, ”Sharing One Secret vs. Sharing Many
Secrets: Tight Bounds on the Average Improvement Ratio”,
Proc. of 11th Annual ACM-SIAM Symp. on Discrete Algo-rithms, Society for Industrial and Applied Mathematics, pp. 273–274, 2000.
34. D. Boneh and M. Franklin, ”Identity-Based Encryption from the Weil Pairing”, Advances in Cryptology, Crypto’01, LNCS 2139, pp. 213–229, 2001.
35. Z. Wan and K. Ren and B. Preneel, ”A secure privacy-preserving roaming protocol based on hierarchical identity-based encryption for mobile networks”, First ACM Conf. on Wireless Network Security (WiSec08), 2008.
